[dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
Jim Reid jim at rfc1035.com
Mon May 1 03:00:10 CEST 2006
On May 1, 2006, at 01:15, Bill Larson wrote: > How can the "security of the DNS system" be considered as any > better than > the security of the parent servers? Because the parent is not usually authoritative for its children. Sure, the parent could insert bogus delegation info: a fake glue or NS record. But this is little different from a slave server for the child that tells lies about the zone. If anything, a lying slave is probably much worse because the cache poisoning heuristics in a decent implementation will give more credence to what an authoritative child has to say than a non-authoritative parent. > Using an example from the paper. If the FBI has a delegated server > that can be easily hijacked, then this would mean that a significant > number of queries for information in the "fbi.gov" domain could be > subverted with invalid info. This is a security issue and it is > not an > issue under the direct control of the FBI (except for their > decision to > base their operation on a third party service). One would hope that if someone outsources DNS service to a third party, that will be subject to a contract which includes performance levels, problem escalation, response to security incidents as well as criminal or civil penalties for non-compliance. I'd get those safeguards buying a cup of coffee, so why not when buying DNS service? > Isn't this the same type of security issue evaluated with COPS? I don't think so.
[ dns-wg Archives ]